[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPL applications using Python (OpenSSL issue?)

2011/3/7 Ulrik Sverdrup <ulrik.sverdrup@gmail.com>:
> Can GPLv3+ applications written in Python exist in Debian main? The
> applications in question do not use an openssl exception.
> Python uses OpenSSL so the moment the application starts, it is linking
> against it too:
> $ objdump -p /usr/bin/python2.6 | grep NEEDED
>  NEEDED               libpthread.so.0
>  NEEDED               libdl.so.2
>  NEEDED               libutil.so.1
>  NEEDED               libssl.so.0.9.8
>  NEEDED               libcrypto.so.0.9.8
>  NEEDED               libz.so.1
>  NEEDED               libm.so.6
>  NEEDED               libc.so.6
> In my case I am talking about a GPLv3+ package that exists in Debian --
> kupfer
> Where do I draw the line for using/linking against ssl?
> a) Using Python2.6
> b) Unintentionally introducing _ssl or ssl into the imported modules
>   (import any of urllib, httplib, socket etc!)
> c) Unintentionally using ssl  (use urllib.urlopen on URL provided by
>   user -- if it's https we are using openssl)
> d) Intentionally using ssl (import ssl and use httplib.HTTPSConnection
>   and verify certificates)
> Kupfer is today at (c) in the debian archive. It exists in development
> version at (d).
> Clearly (d) has provoked thought but upon investigation I see that
> "import ssl" only triggers "import _ssl" which in turn is an almost
> no-op because _ssl is a built-in module in Python 2.6.
> Is this easier to answer than I think it is?

I don't think this is easy to resolve. It's not the developer's (mine)
issue, it's not the users issue but it's the distributors issue.

FYI, it was briefly discussed on Python-dev:


Of course kupfer (example app) can work without ssl. But the thread
finds another problem, the inavailablity of hashlib (thus md5 and


> But you're also left with not being able to 'import hashlib'. While python has fallback
> code, those modules (_md5, _sha, _sha256, _sha512) aren't built if openssl was found
> at build time. So you can't just select at runtime that you didn't want to use openssl.
> Not being able to import hashlib unfortunately makes urllib2 (and a lot of 3rd party
> packages) fail to import.

md5 and sha1 are used in many desktop programs, for example to locate
file thumbnails.


Reply to: